Digital Personal Data Protection Act
Digital Personal Data Protection Act, 2023 :
1. Introduction and Background
About the Act
India’s first comprehensive data protection law, enacted on August 11, 2023
Establishes legal framework for handling digital personal data
Balances individual privacy rights with lawful data processing needs
Enacted six years after the Supreme Court’s 2017 KS Puttaswamy judgment recognizing privacy as a fundamental right under Article 21
Inspired by global frameworks like EU’s GDPR
Uses “she/her” pronouns throughout (first Indian Act to do so)
Applicability
Applies to digital personal data processed within India (collected digitally or digitized later)
Applies to processing outside India if offering goods/services to individuals in India
Covers both Indian citizens and non-citizens residing in India
Does not apply to:
Personal data processed for personal/domestic purposes
Personal data made publicly available by the Data Principal
Non-personal data
2. Key Definitions and Stakeholders
Data Principal
Individual to whom personal data relates
For children (under 18): parents or legal guardians act as Data Principal
For persons with disabilities: legal guardian acts as Data Principal
Data Fiduciary
Person/entity determining purpose and means of processing personal data
Controls how and why data is collected, stored, used, or shared
Includes organizations, companies, government entities
Data Processor
Processes personal data on behalf of Data Fiduciary
Must have valid contract with Data Fiduciary
Significant Data Fiduciary (SDF)
Classification based on:
Volume and sensitivity of data processed
Risk of harm to Data Principals
Impact on sovereignty, integrity, democracy
Security considerations
Examples: Large digital platforms like Facebook, Instagram, YouTube, Amazon, Flipkart, Netflix
Consent Manager
Registered intermediary with Data Protection Board
Facilitates giving, managing, reviewing, and withdrawing consent
Must provide accessible, transparent, and interoperable platform
Requirements:
Indian company with minimum net worth of ₹2 crore
Adequate technical, operational, financial capacity
Directors and KMP with reputation for fairness and integrity
Must be independent and avoid conflicts of interest
3. Fundamental Principles
Principle of Consent
Data must be collected through lawful and fair means
Individuals must be informed about nature, purpose, and use
Consent must be obtained explicitly
Principle of Purpose Limitation
Data use restricted to consented purpose only
Deviation from consented purpose prohibited
Comprehensive purpose disclosure mandatory
Principle of Data Minimization
Personal data collected must be proportional to purpose
No excessive data collection beyond specific purpose
4. Consent Requirements
Characteristics of Valid Consent
Free: Voluntarily given without coercion
Specific: For particular purpose
Informed: With full knowledge of implications
Unconditional: Without bundled conditions
Unambiguous: Clear affirmative action required
No pre-ticked boxes or bundled approvals allowed
Notice Requirements
Must accompany consent request
Should contain:
Details of personal data to be collected
Purpose of processing
Itemized description of data and processing activities
Must be in English or any language specified in Eighth Schedule of Indian Constitution
Must be clear, standalone, and easily understandable
Consent Withdrawal
Data Principal can withdraw consent at any time
Withdrawal must be as easy as giving consent
Data must be erased upon withdrawal
5. Legitimate Uses (Processing Without Consent)
Section 7 Provisions
Personal data may be processed without consent for:
Voluntary Data Sharing
When Data Principal voluntarily provides data for specific purpose
Until withdrawal of request
State Functions
Provision of subsidies, benefits, services by government
Issuance of certificates, licenses, permits
When previous consent exists or data available in notified government databases
Other Legitimate Uses:
Medical emergency
Employment-related processing
Prevention, detection, investigation of offences
Enforcement of legal rights/claims
Research, archiving, statistical purposes
6. Rights of Data Principal
Core Rights
Right to Access:
Summary of personal data being processed
Processing activities undertaken
Identities of other Data Fiduciaries and Processors with whom data is shared
Right to Correction and Erasure:
Seek correction of inaccurate data
Request erasure of data
Right to Withdraw Consent:
At any point in time
Right to Grievance Redressal:
Readily available grievance mechanisms
Data Fiduciary must respond within prescribed period
Must exhaust this before approaching Data Protection Board
Right to Nominate:
Nominate another individual to exercise rights in event of death or incapacity
Incapacity means inability due to unsoundness of mind or infirmity of body
7. Duties of Data Principal
Mandatory Duties
Not register false or frivolous complaints
Not furnish false particulars or impersonate another person
Not suppress material information for documents/IDs
Furnish only verifiably authentic information
Comply with provisions of applicable laws
Penalty for Breach of Duties:
Up to ₹10,000
8. Obligations of Data Fiduciary
General Obligations
Accuracy and Completeness:
Reasonable efforts to ensure data accuracy
Implement mechanisms for data correction
Security Safeguards:
Reasonable security measures to prevent data breach
Encryption, access controls, regular audits
Maintain audit trails for at least one year
Data Minimization:
Collect only data necessary for specified purpose
Storage Limitation:
Erase data once purpose is met
Delete data when retention not necessary for legal purposes
Exception: Storage limitation does not apply to government entities
Breach Notification:
Inform Data Protection Board within 72 hours of breach
Notify affected Data Principals
Board may extend timeline upon written request
Grievance Redressal:
Establish grievance redressal system
Appoint grievance officer
Purpose Limitation:
Process data only for stated purpose
9. Children’s Data Protection
Definition and Requirements
Child defined as individual below 18 years
Significantly stricter than global standards (GDPR: 13-16 years; COPPA: 13 years)
Verifiable Parental Consent
Mandatory before processing children’s data
Consent from parent or legal guardian required
Verification methods not yet specified (expected in implementation guidance)
Prohibitions
Cannot track or behaviorally monitor children
Cannot conduct targeted advertising to children
Cannot process data harmful to child’s well-being
Cannot use children’s data for profiling
Exemptions
Government may create exemptions for certain types/purposes
Healthcare providers, educational institutions, childcare services may have exemptions
Penalties for Non-Compliance:
Up to ₹200 crore
10. Significant Data Fiduciary – Additional Obligations
Classification Criteria
Government determines based on:
Volume and sensitivity of data processed
Risk of harm to individuals
Impact on sovereignty, integrity, democracy
Use of emerging technologies
National security considerations
Enhanced Obligations
Appointment of Data Protection Officer (DPO):
Must be based in India
Responsible for compliance oversight
Data Protection Impact Assessment (DPIA):
Periodic assessments required
Evaluate risks and safeguards
Independent Audit:
Regular audits by independent data auditor
Enhanced Accountability:
Closer regulatory scrutiny
Higher compliance standards
Penalties for Non-Compliance:
Up to ₹150 crore
11. Cross-Border Data Transfer
General Framework
Personal data may be transferred outside India
Negative list/Blacklist approach: Transfers allowed except to countries specifically restricted by Central Government
No blanket data localization requirement
Government Powers
Central Government can notify blacklisted countries/territories
Restrictions based on:
Inadequate data protection frameworks
National security concerns
Discretionary power to whitelist or blacklist jurisdictions
Compliance Requirements
Data Principals must be informed about cross-border transfer
Consent and notice requirements apply
Security controls must be implemented
Exemptions for government approvals, emergencies, national security
Sectoral Regulations:
Must comply with RBI, SEBI regulations for financial data
Sector-specific requirements may apply
12. Exemptions Under the Act
General Exemptions
Processing publicly available personal data
Research, archiving, statistical purposes:
If data not used to make decisions directly affecting Data Principals
Must follow standards in Schedule 2 of Draft Rules
Startups and certain Data Fiduciaries:
Government may exempt based on volume/nature of data
May not require detailed notices
Not mandated to ensure data accuracy
Must meet government-defined criteria
Legal rights and judicial functions:
Processing for legal proceedings, investigations
Enforcement of legal rights/claims
Must remain within legal boundaries
State/Government Exemptions
National security, public order:
Central Government can exempt agencies for:
Sovereignty and integrity of state
Security of state
Friendly relations with foreign nations
Public order
Prevention of offences
Processing by exempted agencies:
Data shared by exempted instrumentality with Central Government is also exempt
Law enforcement purposes:
Exemptions for prevention, detection, investigation, prosecution of offences
Rights of Data Principal and most obligations of Data Fiduciary do not apply
Data security obligations still apply
Personal Data Exemptions
Processing for personal/domestic purposes
Journalistic purposes or artistic expression
13. Data Protection Board of India (DPBI)
Structure and Composition
Independent adjudicatory authority (not policy-making regulator)
Consists of Chairperson and Members appointed by Central Government
Members with expertise in law, data protection, IT, cybersecurity, public administration
Fixed-term appointments with removal grounds for misconduct, incapacity, conflict of interest
Functions independently despite government appointment
Powers and Functions
Receives and adjudicates complaints
From Data Principals after exhausting fiduciary grievance mechanisms
From state/central governments or courts
Suo motu inquiries
Investigates breaches
Security lapses, consent violations, retention failures
Powers of civil court
Issues orders and penalties
Monetary penalties up to ₹250 crore per violation
Corrective directions (erasure, halt processing, upgrade safeguards)
Monitors compliance
Oversees Consent Managers
Monitors Significant Data Fiduciaries
Digital-first operations
Fully online grievance redressal
Faster complaint resolution
Transparency:
Must provide written reasons for decisions
May publish orders
Adjudication Process
Complaint filed or suo motu inquiry initiated
Investigation conducted
Opportunity for hearing provided
Penalty/order issued with written reasons
Appeals to Telecom Disputes Settlement and Appellate Tribunal within 60 days
Further appeals to High Courts/Supreme Court
14. Penalties and Enforcement
Penalty Framework
| Violation | Maximum Penalty |
|---|---|
| Failure to implement reasonable security safeguards | Up to ₹250 crore |
| Failure to notify breach to Board/Data Principals | Up to ₹200 crore |
| Breach of obligations regarding children’s data | Up to ₹200 crore |
| Failure to obtain proper consent | Up to ₹200 crore |
| Breach of SDF additional obligations | Up to ₹150 crore |
| Non-fulfilment of Data Principal rights | Up to ₹50 crore |
| Breach of any other provision | Up to ₹50 crore |
| Breach of Data Principal duties | Up to ₹10,000 |
Factors Influencing Penalty Assessment
Nature, gravity, and duration of breach
Sensitivity of data involved
Volume of individuals affected
Nature of fiduciary (startup vs. large enterprise)
Harm caused to Data Principals
Willful/negligent/repeated nature of violation
Cooperation during investigation
Mitigation steps taken
Key Notes:
No criminal liability – only financial penalties
Penalties are per violation/per breach
Risk-based approach with proportionality principle
15. DPDP Rules 2025
Status and Timeline
Draft Rules released for public consultation (until February 18, 2025)
Phased implementation approach
Data Protection Board provisions: Effective immediately upon final rules publication
Other compliance provisions: To be notified later (reports suggest 2-year timeline)
Final enforcement timeline not yet officially announced
Key Provisions
Data Transfer:
Certain personal data transfer outside India allowed as approved by government
Data Retention and Erasure:
Retention allowed up to 3 years from last interaction with Data Principal or effective date of rules (whichever is later)
Data Fiduciary must notify Data Principal at least 48 hours before erasure
Graded Responsibilities:
Lower compliance burden for startups and MSMEs
Higher obligations for Significant Data Fiduciaries
Digital-First Approach:
Digital-by-design Data Protection Board
Faster online resolution of complaints
Consent Management Systems:
Business Requirements Document (BRD) released for CMS development
Comprehensive consent lifecycle management
16. Key Features Summary
Citizen-Centric Approach
Places citizens at heart of framework
Empowers with greater control over data
Clear and accessible information about data processing
User-friendly mechanisms to manage data
Balanced Framework
Balance between innovation and regulation
Protects privacy while enabling digital economy growth
Addresses unauthorized commercial use, digital harms, breaches
Enforcement Mechanism
Strong Data Protection Board with adjudicatory powers
Substantial financial penalties (up to ₹250 crore)
Appeals mechanism to Appellate Tribunal
Transparency and Accountability
Mandatory notice requirements
Security safeguards and breach notifications
Audit trails and documentation requirements
Grievance redressal mechanisms
Special Protections
Enhanced protection for children’s data
Safeguards for persons with disabilities
Prohibition of harmful practices (tracking, profiling, targeted advertising to children)
